Method and system for authorization and access control delegation in an on demand grid environment

ABSTRACT

The method of the invention provides for dynamic on-demand delegation of control and access in a grid computing environment comprising granting authority of a grid node to a first moderator by a superauthority; admitting the first moderator to the grid node; modifying the access control list of the grid node by the first moderator; inviting other entities listed on the access control list to access the grid node; and issuing a unique authorization certificate to each of the other entities, wherein the first moderator controls the inviting of the other entities without contact with or accessing to the superauthority for certification.

BACKGROUND

1. Field of the Invention

The embodiments of the invention generally relate to computer security,and, more particularly, to computer security and access control in gridcomputing environments.

2. Description of the Related Art

With the advent of collaborative computing and data sharing, more andmore new modes of interaction have evolved resulting in the use ofdistributed resources for large-scale scientific research. Work withinthis collaborative computing environment has led to the development ofgrid technologies, which have become involved in scientific andenterprise computing.

In grid computing, heterogeneous resources distributed geographicallyare virtualized as a unified whole. Grid computing, as a result,provides enormous opportunity in terms of resource sharing, maximizationof resource utilization and virtualization of resources. Grid computinghas potential for the not only the scientific community, but also theenterprise information technology (IT) communities.

However, there are security issues and implications in the wide-spreaduse of grid computing. Because grid computing involves running ofapplications in diverse environments, different types of security issuesarise. Issues in security in the area of grid computing can be broadlyclassified into system level, architectural, and interoperabilityissues.

System level security issues deal with the problem of running a foreignapplication in one's system. Architectural security issues deal with thedevelopment of a secure infrastructure for the grid system.Interoperability issues include establishing a secure infrastructureincluding encryption, authentication and authorization in a grid basedenvironment.

Current grid solutions for dealing with authentication and authorizationrely on a Public Key Infrastructure (PKI) where every end entity owns aX509 certificate and authentication against grid nodes are done throughcommon PKI mechanisms with a trusted authority. However authorization ishandled at a different level, usually by the means of a separateasynchronous process like grid-map files. This second process is notdynamic and is difficult to tie with the authentication process in an ondemand environment where authorization can be granted and denied ondemand.

U.S. Pat. No. 6,901,448, incorporated herein by reference, discloses amethod for a distributed collaborative computing environment and asecurity protocol involving encryption processes. U.S. Pat. No.7,028,181, incorporated herein by reference, discloses a system andmethod for revocation of a signature certificate in a PKI.

SUMMARY

The method of the present invention provides for flexible on-demandauthorization and authentication of entities wishing to access gridnodes, when the grid is used for real time collaboration betweendifferent parties. The method of the invention provides for dynamicon-demand delegation of control and access in a grid computingenvironment comprising: granting authority of a grid node to a moderatorby a superauthority; admitting the moderator, which is a user havingspecial access, to the grid node; modifying the access control list ofthe grid node by the moderator; inviting other entities listed on theaccess control list to access the grid node; and said moderator issuinga unique authorization certificate to each of the other entities,wherein the moderator controls the inviting of the other entitieswithout the need for contact with or access to the superauthority forcertification.

In view of the foregoing, an embodiment of the invention provides thatthe modification of the access control list of the grid node includesadding or deleting/removing other entities (e.g., client, users, etc.)on the grid node's access control list. Embodiments of the inventionfurther comprise the moderator delegating authority to priviledged usersor additional moderators. The moderator controls the delegation ofprivileged users or additional moderators without contacting oraccessing the superauthority for certifications or authorization. Itwill be understood to those of skill in the art that as used herein, theterms additional moderator or priviledged user may be usedinterchangeably herein.

In another embodiment of the invention, the modification of the accesscontrol list can be performed by either the moderator or the priviledgeduser. The privileged users, however, cannot revoke or remove themoderator's authority to assign new priviledged users or moderators orassign new users to the access control list of the grid node. Thepriviledged users or additional moderators can delegate other moderatorsin addition to modifying the access control list.

These and other aspects of the embodiments of the invention will bebetter appreciated and understood when considered in conjunction withthe following description and the accompanying drawings. It should beunderstood, however, that the following descriptions, while indicatingpreferred embodiments of the invention and numerous specific detailsthereof, are given by way of illustration and not of limitation. Manychanges and modifications may be made within the scope of theembodiments of the invention without departing from the spirit thereof,and the embodiments of the invention include all such modifications.

BRIEF DESCRIPTION OF THE DRAWINGS

The embodiments of the invention will be better understood from thefollowing detailed description with reference to the drawings, in which:

FIG. 1 illustrates a flow diagram illustrating a preferred method of anembodiment of the invention.

FIG. 2 is a schematic diagram of a the communication network ofmoderator, superauthority, node and client (user); and

FIG. 3 is representative hardware environment for practicing theembodiments of the invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

The embodiments of the invention and the various features andadvantageous details thereof are explained more fully with reference tothe non-limiting embodiments that are illustrated in the accompanyingdrawings and detailed in the following description. It should be notedthat the features illustrated in the drawings are not necessarily drawnto scale. Descriptions of well-known components and processingtechniques are omitted so as to not unnecessarily obscure theembodiments of the invention. The examples used herein are intendedmerely to facilitate an understanding of ways in which the embodimentsof the invention may be practiced and to further enable those of skillin the art to practice the embodiments of the invention. Accordingly,the examples should not be construed as limiting the scope of theembodiments of the invention.

As mentioned, there remains a need for flexible on-demand authorizationand authentication of entities wishing to access grid nodes, when thegrid is used for real time collaboration between different parties. Theembodiments of the invention achieve this by providing a method fordynamic delegation of control in a grid computing environment. Referringnow to the drawings, and more particularly to FIGS. 1 through 3 wheresimilar reference characters denote corresponding features consistentlythroughout the figures, there are shown preferred embodiments of theinvention.

The invention, described herein, delegates control of a node in a gridenvironment in a scalable and dynamic way. FIG. 1 illustrates a flowdiagram of the. A method for dynamic delegation of control in a gridcomputing environment comprising: granting authority of a grid node to amoderator, which is a user having special access, by a superauthority(100); admitting the moderator to the grid node (102); modifying anaccess control list (ACL) of the grid node by the moderator (108). Themodification of the access control list includes adding or deletingother entities (e.g., users, clients, etc.). The method furthercomprises inviting the other entities listed on the access control listto access the grid node (104); and the moderator, or in certainembodiments, priviledged user, issuing a unique authorizationcertificate to each of the other entities (106), wherein the moderatorcontrols the inviting of the other entities without the need for themoderator or the other entities to contact the superauthority forauthorization certificates.

The method further comprises steps wherein the moderator delegatesauthority to privileged users (additional moderators) (110). Again, thefirst moderator controls the delegation of privileged users havingmoderator abilities without the need for contact with thesuperauthority. The first moderator and privileged users have theauthority to modify the access control list and assign or remove newmoderators. However, the privileged users have all the authority of amoderator with the exception that privileged users may not remove thefirst moderator from the grid node. The moderator may remove himselffrom the node and assign a new moderator, having the full authority ofthe first moderator.

Moderators can be considered within the context of the invention userswith the same privileges of a super authority, i.e., “super users.”Thus, moderators have superior access control and abilities that theregular users do not have. The super authority, is an authority whichgrants authorization certificates to moderators of a node and can make aregular user a ‘super user’ or moderator, by granting specificcredentials (X509 certificates usually).

A moderator, e.g., a super user, can make other people privileged users,but not super users, as only the super authority can make those peoplesuper users. Privileged users, i.e., additional moderators, are granteddifferent abilities. The most basic one is to get access to theresources, and the other ability they can be granted by the superuser/moderator is the ability to make other people privileged usersand/or remove their privileged ability. The only thing that privilegedusers will not be able to do is revoke the ‘super user’ ability of thesuper user. In that sense, the super user will always have overridingcapabilities over its delegated privileged users. A super user/moderatorcan grant any capability to privileged users can be anything andeverything, and should not be limited, e.g., granting access to localmachine/node and granting ability to delegate this access to otherpeople.

Another embodiment of the invention involves a computer program productreadable by machine, tangibly embodying a program of instructionsexecutable by said machine to perform the method for dynamic delegationof control in a grid computing environment described herein. Yet anotherembodiment of the invention is a service for dynamic delegation ofcontrol in a grid computing environment comprising: granting authorityof a grid node to a first moderator by a superauthority; admitting thefirst moderator entity to the grid node; modifying an access controllist of the grid node by the first moderator; inviting other entitieslisted on the access control list to access the grid node; and issuing aunique authorization certificate to each of the other entities.

FIG. 2 illustrates schematically the various entities in the methoddescribed herein. The moderator receives a certificate from the centralauthority/superauthority (200) to access the grid node (206) and tomodify access to the grid node. The moderator (204) which controlsmodification of the access control list, assignment or removal ofclients (e.g., user, entities, etc.) (202) to the grid node (206).

FIG. 3 illustrates a flow diagram according to an embodiment of theinvention. The embodiments of the invention can take the form of anentirely hardware embodiment, an entirely software embodiment or anembodiment including both hardware and software elements. In a preferredembodiment, the invention is implemented in software, which includes butis not limited to firmware, resident software, microcode, etc.

Furthermore, the embodiments of the invention can take the form of acomputer program product accessible from a computer-usable orcomputer-readable medium providing program code for use by or inconnection with a computer or any instruction execution system. For thepurposes of this description, a computer-usable or computer readablemedium can be any apparatus that can comprise, store, communicate,propagate, or transport the program for use by or in connection with theinstruction execution system, apparatus, or device.

The medium can be an electronic, magnetic, optical, electromagnetic,infrared, or semiconductor system (or apparatus or device) or apropagation medium. Examples of a computer-readable medium include asemiconductor or solid state memory, magnetic tape, a removable computerdiskette, a random access memory (RAM), a read-only memory (ROM), arigid magnetic disk and an optical disk. Current examples of opticaldisks include compact disk-read only memory (CD-ROM), compactdisk-read/write (CD-R/W) and DVD.

A data processing system suitable for storing and/or executing programcode will include at least one processor coupled directly or indirectlyto memory elements through a system bus. The memory elements can includelocal memory employed during actual execution of the program code, bulkstorage, and cache memories which provide temporary storage of at leastsome program code in order to reduce the number of times code must beretrieved from bulk storage during execution.

Input/output (I/O) devices (including but not limited to keyboards,displays, pointing devices, etc.) can be coupled to the system eitherdirectly or through intervening I/O controllers. Network adapters mayalso be coupled to the system to enable the data processing system tobecome coupled to other data processing systems or remote printers orstorage devices through intervening private or public networks. Modems,cable modem and Ethernet cards are just a few of the currently availabletypes of network adapters.

A representative hardware environment for practicing the embodiments ofthe invention is depicted in FIG. 3. This schematic drawing illustratesa hardware configuration of an information handling/computer system inaccordance with the embodiments of the invention. The system comprisesat least one processor or central processing unit (CPU) 10. The CPUs 10are interconnected via system bus 12 to various devices such as a randomaccess memory (RAM) 14, read-only memory (ROM) 16, and an input/output(I/O) adapter 18. The I/O adapter 18 can connect to peripheral devices,such as disk units 11 and tape drives 13, or other program storagedevices that are readable by the system. The system can read theinventive instructions on the program storage devices and follow theseinstructions to execute the methodology of the embodiments of theinvention. The system further includes a user interface adapter 19 thatconnects a keyboard 15, mouse 17, speaker 24, microphone 22, and/orother user interface devices such as a touch screen device (not shown)to the bus 12 to gather user input. Additionally, a communicationadapter 20 connects the bus 12 to a data processing network 25, and adisplay adapter 21 connects the bus 12 to a display device 23 which maybe embodied as an output device such as a monitor, printer, ortransmitter, for example.

More particularly describing the invention, a third party is notrequired for the delegation of control during the process to achievescalability. Once entity A (e.g., the moderator) has gained control overmachine X (e.g., the grid node), through regular grid access controlapproaches, entity A can delegate control to entity B (e.g., users,clients, etc.) directly by updating the ACL of machine X. Machine X willgrant access to entity B as long as entity A's access is valid. Whenentity A's access expires, entity B's access will expire as well. Thus,the delegation control process is dynamic. At any time, any moderatorentity that has control over the node can terminate another entity'saccess control rights and operations. One goal of the invention is toprovide authentication and authorization among grid nodes in a dynamicand real time environment. Although in some embodiment other entititiesmay access the superauthority, generally, only the moderator needs toaccess the superauthority; thus, providing flexible access to the gridnode in collaborative computing environments.

Only one entity needs to contact a super authority to get access to agrid node. All other entities will be able to authenticate and authorizeagainst this grid node without having to access a third party (e.g.,superauthority). The ACLs can be dynamically updated in real timewithout disruption of the service and without intervention of a thirdparty. This method is advantageous because it can delegate accesscontrol in a distributed system without having to contact acentral/third party authority as it is common most systems.

Even more particularly, assuming N entities need to connect to grid nodeA for collaboration, each entity needs to be authenticated andauthorized. A first entity, e.g., the as moderator, may obtain acredential or proxy certificate to access the node A. A regular superauthority will deliver this proxy certificate after authentication andan authorization check.

The moderator will then present this proxy to node A to gain access.Node A will check that the proxy is valid and signed by the superauthority, then grant access to the moderator. Once the moderatorcontrols the application on node A, the moderator will be able changethe dynamic ACL for this application instance through a secureconnection. Node A will then invite the (N−1) other entities to accessthe application on node A. Each entity X in turn will directly contactnode A and show a unique certificate (e.g., X509 certificate, etc.) forauthentication purpose through a secure sockets layer (SSL) connection.Node A, after checking authentication of entity X, through regular PKIprocesses, will check authorization against the dynamic ACL created bythe moderator. The entity X will then either be granted or deniedaccess. The entity X in the present embodiment may include client, usersor even another grid nodes.

The moderator M can delegate its moderator ability to other clients oncegranted access. This delegation is done securely over a SSL connectionwith the application on node A. As a result, even if the moderatorleaves the application, there are still other moderators who can controlthe access to the application, either by inviting other clients ordenying other clients. With this process, all clients are authenticatedand authorized correctly against a grid node without having to contact athird party superauthority for managing authorization. As a result, ascalable and dynamic method for authenticating and authorizing clientsto access a grid application is achieved.

The foregoing description of the specific embodiments will so fullyreveal the general nature of the invention that others can, by applyingcurrent knowledge, readily modify and/or adapt for various applicationssuch specific embodiments without departing from the generic concept,and, therefore, such adaptations and modifications should and areintended to be comprehended within the meaning and range of equivalentsof the disclosed embodiments. It is to be understood that thephraseology or terminology employed herein is for the purpose ofdescription and not of limitation. Therefore, while the embodiments ofthe invention have been described in terms of preferred embodiments,those skilled in the art will recognize that the embodiments of theinvention can be practiced with modification within the spirit and scopeof the appended claims.

1. A method for dynamic delegation of control in a grid computingenvironment comprising: granting authority of a grid node to a moderatorby a superauthority; admitting said moderator to said grid node;modifying an access control list of said grid node by said moderator;and inviting other entities listed on said access control list to accesssaid grid node, wherein said first moderator controls said inviting ofsaid other entities without contact with said superauthority.
 2. Themethod of claim 1, wherein said modifying comprising adding or deletingsaid other entities on said access control list.
 3. The method of claim1, further comprising issuing a unique authorization certificate to eachof said other entities.
 4. The method of claim 1, further comprisingdelegating privileged users by said moderator, wherein said moderatorcontrols said delegating privileged users without contact with saidsuperauthority.
 5. The method of claim 4, wherein said modifying of saidaccess control list is performed by either said moderator or saidprivileged users.
 6. The method of claim 4, wherein said delegating ofsaid privileged users is performed by said moderator or privilegedusers.
 7. A method for dynamic delegation of control in a grid computingenvironment comprising: granting authority of a grid node to a moderatorby a superauthority; admitting said moderator to said grid node;modifying an access control list of said grid node by said moderator;inviting other entities listed on said access control list to accesssaid grid node; and issuing a unique authorization certificate to eachof said other entities; wherein said moderator controls said inviting ofsaid other entities without contact with said superauthority.
 8. Themethod of claim 6, wherein said modifying comprising adding or deletingsaid other entities on said access control list.
 9. The method of claim6, further comprising delegating privileged users by said firstmoderator, wherein said moderator controls said delegating privilegedusers without contact with said superauthority.
 10. The method of claim9, wherein said modifying of said access control list is performed byeither said moderator or said privileged users.
 11. The method of claim9, wherein said delegating of said privileged users is performed by saidfirst moderator or said privileged users.
 12. A computer program productreadable by machine, tangibly embodying a program of instructionsexecutable by said machine to perform a method for dynamic delegation ofcontrol in a grid computing environment, said method comprising:granting authority of a grid node to a moderator by a superauthority;admitting said moderator to said grid node; modifying an access controllist of said grid node by said moderator wherein said modeling comprisesadding or deleting said other entities on said access control list;inviting other entities listed on said access control list to accesssaid grid node; and issuing a unique authorization certificate to eachof said other entities; wherein said moderator controls said inviting ofsaid other entities without contact with said superauthority.
 13. Thecomputer program product of claim 12, further comprising delegatingprivileged users by said moderator, wherein said moderator controls saiddelegating privileged users without contact with said superauthority.14. The computer program product of claim 13, wherein said modifying ofsaid access control list is performed by either said moderator or saidprivileged users.
 15. The computer program product of claim 13, whereinsaid delegating of said privileged users is performed by said moderatoror said privileged users.
 16. A service for dynamic delegation ofcontrol in a grid computing environment comprising: granting authorityof a grid node to a moderator by a superauthority; admitting saidmoderator to said grid node; modifying an access control list of saidgrid node by said moderator; inviting other entities listed on saidaccess control list to access said grid node; and issuing a uniqueauthorization certificate to each of said other entities; wherein saidmoderator controls said inviting of said other entities without contactwith said superauthority.
 17. The service of claim 16, wherein saidmodifying comprising adding or deleting said other entities on saidaccess control list.
 18. The service of claim 16, further comprisingdelegating privileged users by said moderator, wherein said moderatorcontrols said delegating privileged users without contact with saidsuperauthority.
 19. The service of claim 18, wherein said modifying ofsaid access control list is performed by either said moderator or saidprivileged users.
 20. The service of claim 18, wherein said delegatingof said additional moderators is performed by said moderator or saidprivileged users.